Reinicie um serviço através do apache

1

Estou usando o CentOS 6.6 tentando chamar o comando service em código PHP

exec("sudo -u kouser bash  ./1.bash 2>&1",$output,$code);

1.bash

#!/bin/bash
sudo service httpd graceful

A saída da execução

httpd: unrecognized service

Quando parei o sucesso da execução no SElinux. Eu quero executar meu código sem parar o SELinux, mas eu não quero usar audit2allow ; resolverá o problema, mas sem eu entender o porquê. quando usei audit2why não me deu mais informações.

tail / var / log / messages

May 16 11:21:34 Server6 setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd. For complete SELinux messages. run sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051

sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051

SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the httpd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep service /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_initrc_exec_t:s0
Target Objects                /etc/rc.d/init.d/httpd [ file ]
Source                        service
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ERP-Server
Source RPM Packages           bash-4.1.2-40.el6.x86_64
Target RPM Packages           httpd-2.2.15-53.el6.centos.x86_64
Policy RPM                    selinux-policy-3.7.19-292.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ERP-Server
Platform                      Linux ERP-Server 2.6.32-504.3.3.el6.x86_64 #1 SMP
                              Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64
Alert Count                   22
First Seen                    Mon 23 May 2016 11:06:03 AM EEST
Last Seen                     Tue 07 Jun 2016 11:36:47 AM EEST
Local ID                      91c2c1ed-cb12-4d36-a655-c91d63827a16

Raw Audit Messages
type=AVC msg=audit(1465288607.625:383): avc:  denied  { getattr } for  pid=14705 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918236 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1465288607.625:383): arch=x86_64 syscall=stat success=no exit=EACCES a0=19ab9b0 a1=7fffc22e8060 a2=7fffc22e8060 a3=8 items=0 ppid=14704 pid=14705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=service exe=/bin/bash subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Hash: service,httpd_t,httpd_initrc_exec_t,file,getattr

audit2allow

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

audit2allow -R

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

finalizar /var/log/audit/audit.log

type=CRED_DISP msg=audit(1463317995.800:917): user pid=5427 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1463317995.806:918): user pid=5434 uid=512 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='cwd="/var/www/html/1.php" cmd=7365727669636520687474706420677261636566756C terminal=? res=success'
type=CRED_ACQ msg=audit(1463317995.807:919): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1463317995.807:920): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1463317995.818:921): avc:  denied  { getattr } for  pid=5435 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918237 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1463317995.818:921): arch=c000003e syscall=4 success=no exit=-13 a0=1f37b20 a1=7fff10f16500 a2=7fff10f16500 a3=8 items=0 ppid=5434 pid=5435 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="service" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=USER_END msg=audit(1463317995.819:922): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.819:923): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1463317995.820:924): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.820:925): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
    
por Steve 17.05.2016 / 09:48

1 resposta

0

sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051 descreverá a causa exata, na seção de resumo você encontrará o nome do arquivo & o contexto do selinux

para corrigir o problema, execute o comando abaixo.

chcon -t selinux_context 'file_name'

Um comando sugerido para permitir o acesso e resolver a negação. ele dá o comando para alterar o tipo file1 para public_content_t, que é acessível para o Apache HTTP Server

Possível bug Link1 Link2

    
por 17.05.2016 / 10:52